Add tests for sha256-rsa-MGF1 (#515)

Author: kaibernhard

test/saml-response-tests.spec.ts

@@ -23,6 +23,38 @@ describe("SAML response tests", function () {
     expect(sig.getSignedReferences().length).to.equal(1);
   });
 
+  it("test validating SAML response with sha256-rsa-MGF1", function () {
+    const xml = fs.readFileSync("./test/static/valid_saml_sha256_rsa_mgf1.xml", "utf-8");
+    const doc = new xmldom.DOMParser().parseFromString(xml);
+    const signature = xpath.select1(
+      "/*/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']",
+      doc,
+    );
+    isDomNode.assertIsNodeLike(signature);
+    const sig = new SignedXml();
+    sig.publicCert = fs.readFileSync("./test/static/idp_certificate.pem");
+    sig.loadSignature(signature);
+    const result = sig.checkSignature(xml);
+
+    expect(result).to.be.true;
+  });
+
+  it("test validating SAML response with sha256-rsa-MGF1 fails for modified file", function () {
+    const xml = fs.readFileSync("./test/static/invalid_saml_sha256_rsa_mgf1.xml", "utf-8");
+    const doc = new xmldom.DOMParser().parseFromString(xml);
+    const signature = xpath.select1(
+      "/*/*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']",
+      doc,
+    );
+    isDomNode.assertIsNodeLike(signature);
+    const sig = new SignedXml();
+    sig.publicCert = fs.readFileSync("./test/static/idp_certificate.pem");
+    sig.loadSignature(signature);
+    const result = sig.checkSignature(xml);
+
+    expect(result).to.be.false;
+  });
+
   it("test validating wrapped assertion signature", function () {
     const xml = fs.readFileSync("./test/static/valid_saml_signature_wrapping.xml", "utf-8");
     const doc = new xmldom.DOMParser().parseFromString(xml);

test/signature-unit-tests.spec.ts

@@ -6,7 +6,75 @@ import * as crypto from "crypto";
 import { expect } from "chai";
 import * as isDomNode from "@xmldom/is-dom-node";
 
+const signatureAlgorithms = [
+  "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
+  "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
+  "http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1",
+  "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
+];
+
 describe("Signature unit tests", function () {
+  describe("sign and verify", function () {
+    signatureAlgorithms.forEach((signatureAlgorithm) => {
+      function signWith(signatureAlgorithm: string): string {
+        const xml = '<root><x attr="value"></x></root>';
+        const sig = new SignedXml();
+        sig.privateKey = fs.readFileSync("./test/static/client.pem");
+
+        sig.addReference({
+          xpath: "//*[local-name(.)='x']",
+          digestAlgorithm: "http://www.w3.org/2000/09/xmldsig#sha1",
+          transforms: ["http://www.w3.org/2001/10/xml-exc-c14n#"],
+        });
+
+        sig.canonicalizationAlgorithm = "http://www.w3.org/2001/10/xml-exc-c14n#";
+        sig.signatureAlgorithm = signatureAlgorithm;
+        sig.computeSignature(xml);
+        return sig.getSignedXml();
+      }
+
+      function loadSignature(xml: string): SignedXml {
+        const doc = new xmldom.DOMParser().parseFromString(xml);
+        const node = xpath.select1(
+          "//*[local-name(.)='Signature' and namespace-uri(.)='http://www.w3.org/2000/09/xmldsig#']",
+          doc,
+        );
+        isDomNode.assertIsNodeLike(node);
+        const sig = new SignedXml();
+        sig.publicCert = fs.readFileSync("./test/static/client_public.pem");
+        sig.loadSignature(node);
+        return sig;
+      }
+
+      it(`should verify signed xml with ${signatureAlgorithm}`, function () {
+        const xml = signWith(signatureAlgorithm);
+        const sig = loadSignature(xml);
+        const res = sig.checkSignature(xml);
+        expect(
+          res,
+          `expected all signatures with ${signatureAlgorithm} to be valid, but some reported invalid`,
+        ).to.be.true;
+      });
+
+      it(`should fail verification of signed xml with ${signatureAlgorithm} after manipulation`, function () {
+        const xml = signWith(signatureAlgorithm);
+        const doc = new xmldom.DOMParser().parseFromString(xml);
+        const node = xpath.select1("//*[local-name(.)='x']", doc);
+        isDomNode.assertIsElementNode(node);
+        const targetElement = node as Element;
+        targetElement.setAttribute("attr", "manipulatedValue");
+        const manipulatedXml = new xmldom.XMLSerializer().serializeToString(doc);
+
+        const sig = loadSignature(manipulatedXml);
+        const res = sig.checkSignature(manipulatedXml);
+        expect(
+          res,
+          `expected all signatures with ${signatureAlgorithm} to be invalid, but some reported valid`,
+        ).to.be.false;
+      });
+    });
+  });
+
   describe("verify adds ID", function () {
     function nodeExists(doc, xpathArg) {
       if (!doc && !xpathArg) {

test/static/idp_certificate.pem

@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFFzCCAv+gAwIBAgIUaAU88KUbZLe7NwTw+jdCHIDU6wIwDQYJKoZIhvcNAQEL
+BQAwGjEYMBYGA1UEAwwPaWRwLmV4YW1wbGUuY29tMCAXDTI1MDkwODExMTUzMFoY
+DzIxMjUwODE1MTExNTMwWjAaMRgwFgYDVQQDDA9pZHAuZXhhbXBsZS5jb20wggIi
+MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDXpgSoph176VQPw+4e91UAL6j0
+TbL/aI3Amj62TU91KOk4xigy+8xFSeU2IC64W7abfFq+25K+1ybJmMBq94UKyKab
+7yeXmen2xJ9PT5br4TwnsbeBZrziXSR8uTE60DdWLZYJEBREgu96JeEWLzP/0Hfn
+FlnuG5kXlb6rpy7l723YeDvU9lvsm6Rj46m5R8j4CSenKmLsHSIhmNP59SsEpJ16
+D+RfKcrKqxPxp6t/oCEKXjpmOeGoX9WT5V9UMxrGFgY2YLab9tLCIK48i6rgXpHU
+nbMq2XyAT58bSG/Tif99hoiQ2ovzsVUrVeCa4/uUg/pr+w1bZnIBl6R8WVPTVwgm
+YN+8Ww27aLiNksCn70t74XZLr9xnYnbnj324AiZp9Z48vDECm41Tc+V9eqGNO/5Y
+LgZqoGTy4El3AMcNF3lkecZ2UZKMI341pI1vHyRG0jCr2ZYpy30pYQKd+Z7AvZKM
+UTJFQfBIOn3zXN6SA8lWZLPOW4VTdOfcGjQij3AUDeTeilUigpRgkTl97WUrGfas
+vLXMrdRoXYxjGPe+s4+tf+gnKhTVQ6h6we+ISaFVOeXpCrOUwZM0OdikQtKYgH0G
+9OrJKxDZDl4YkkYFqqhyw5Eum9HZwMU8631lkBSqMRgz8AX7KdBn1PrGS6wOp+GC
+28L1ISeRxRriWtaeXQIDAQABo1MwUTAdBgNVHQ4EFgQULRbUCREu3zQABqNW8LMO
+fraF5BMwHwYDVR0jBBgwFoAULRbUCREu3zQABqNW8LMOfraF5BMwDwYDVR0TAQH/
+BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAA6Jm3pll7XHBY/oXrtRAu60RpH4p
+cZBSf68zhCQKUnXALy2FWrUGU8uVCJJuxXIcxszTOCZmwVF12YceIFpBrWHxKCDZ
+WYDO6hrwZvsa2vh5mXDZo3c/HX6GmJR4f4oIIZnbxFhXR30419PlrwMW3Rk7rnVS
+Dz/HpQfdS4y8jYgsm2dIRo+PXQytFRCDj4afsT3eZa27QjFxLTuK+SwkhupSH1WW
+YmqL9+iIJiLL/ntfM4MwtOUwcfqI0ttbvFZZIPneBCuEDLn/zJ/QBV3ZvjQDt53W
+21HaPGPHBBfVZVroZPvuGvulWRLeECI1Hmbl3al/2aOC0LWzPIk8dlTcN+EWcCEu
+fpTOEgkob8waEyxlX0Z5OBjkCHpyDTPGkxBBOCJv88Frx7qdbu8eSV0OviuaM/B7
+ky2NbDMKIybX4tf/Q8FNfjPLvTv+8nbrMz6kTno3RR2YC7ttI7Glb/eOg3F/ouF4
+wcoPAj+OyU5Q5WJMMaZ9cXF9pwszsglLbFms+WD5PFxlloh6I1hO7TccWKTeUJ5f
+YZSYYm31JqWit3DBltXTyRyL7KFSdT/FyRBk62YLCJqJmcukIUJUTya73/RmjW1M
+4zMBNaIj/pH77opKWnVbm9F4XnBCG4r9+FRXdV2zKW6DgvDzQ6DaZ+0cwC36vSqk
+DyjZYv/tviuWfM8=
+-----END CERTIFICATE-----

test/static/idp_private_key.pem

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDXpgSoph176VQP
+w+4e91UAL6j0TbL/aI3Amj62TU91KOk4xigy+8xFSeU2IC64W7abfFq+25K+1ybJ
+mMBq94UKyKab7yeXmen2xJ9PT5br4TwnsbeBZrziXSR8uTE60DdWLZYJEBREgu96
+JeEWLzP/0HfnFlnuG5kXlb6rpy7l723YeDvU9lvsm6Rj46m5R8j4CSenKmLsHSIh
+mNP59SsEpJ16D+RfKcrKqxPxp6t/oCEKXjpmOeGoX9WT5V9UMxrGFgY2YLab9tLC
+IK48i6rgXpHUnbMq2XyAT58bSG/Tif99hoiQ2ovzsVUrVeCa4/uUg/pr+w1bZnIB
+l6R8WVPTVwgmYN+8Ww27aLiNksCn70t74XZLr9xnYnbnj324AiZp9Z48vDECm41T
+c+V9eqGNO/5YLgZqoGTy4El3AMcNF3lkecZ2UZKMI341pI1vHyRG0jCr2ZYpy30p
+YQKd+Z7AvZKMUTJFQfBIOn3zXN6SA8lWZLPOW4VTdOfcGjQij3AUDeTeilUigpRg
+kTl97WUrGfasvLXMrdRoXYxjGPe+s4+tf+gnKhTVQ6h6we+ISaFVOeXpCrOUwZM0
+OdikQtKYgH0G9OrJKxDZDl4YkkYFqqhyw5Eum9HZwMU8631lkBSqMRgz8AX7KdBn
+1PrGS6wOp+GC28L1ISeRxRriWtaeXQIDAQABAoICAGhLJwKngCfu4xRS1mWMicPy
+yNwKffDPUIsfLgg94JlRhWXLVCLAK30xLVUdgGryFCEjpcGbcN+yL1SddyXkeqgJ
+/aX5pmTH7+LEGiYh4GRJBK5P4WeIV/6EPILDj/8ZN0IK/v54E81Eo+wnyLHRd20X
+lf2hjjG9kC9bYSEkVGapAq+ICqvG0BNg/MLAltOAV745sz9CHSCDQIAOKSrAuyLe
+ODkR2Yl6rVSSI62iQSuStpgMlWLeSHgFjUYfTxjqNF8rxKpk4LwSRcDUTGAEzkoA
+ArhY4o9tKqzllRX9VPPyUCmVuJOR1tCvaXjxahSPARvFLoYtnzqek7GYdNkc3JA8
+yMOnXAVfuJ6xML9gFQvCJ9qFL5ayVBi+2OSXpKX0O2AwIOqFilT8/QSoR6bJXMwJ
+R4VRtsUbvQ84wG7cRSmGpMWs+PrGOgO2JmjCeLPrSZXNUIYchxGun+nG1OlBMjTc
+GdEzUdC0BLwOuGpvTKtCMDvwXStogq1PtjCHvEfjX84jtlV3mvJFHnqIJBGkLQPX
+O9P2SVL3g8vNwuAKvfMtSgW2sUXf+nFBtiAFXqXdYy0vL3O4AAoWU8Jfl5EUbO1S
+bAGJcF5N9vsSFGDfcZzuAbbSdj6qUlIkncTBlVO/tWsdFIg9BXbH/qQZEaprX//P
+5Z5wv+qBL353z7nCkb8zAoIBAQDrBQ8R49u/Pxupvr5pcFfZ14ifmIZnUar1bkig
+o/ylb6Si3WgQ5PP788snYp2R3kbo+JBrdyl/OQBWgtCKOXxFllrBjwlihDXnK+SB
+igqHCkKbjTMjI+Gkgot7sR+tC9UnM0SNHlX6fkWfbmj6dQIIv0Cd3yOzx/v+ml2w
+TUwxCfmroiX67y3Sl0yVAGmXfjQ1uRCLBiulJEfONAu6+it0H8Whtx5d9FglF2Hj
+ll+cOamAB+GZiJzAF6MucizS+Cfw+kWkrlOpFj2EqE7Z847Bhp1b6TSPCVZ+IUpY
+1FTYIBw1JFe7xeRKsfHs0KgrpSf3AxuSalFfpLeV997+sd/3AoIBAQDq5kPnZZTT
+V/i+DCa3Q94gNNQC+6j1YE/PDaQeOS7ybYz6pFizrIn6ioIfKD1as8vViTnvw9kq
+CehnO+rOzPA4oloVFDNKqliLViJMz7CY8hRoiOUuLzGbsmTyqvjcSi39IOmWs7Pq
+YFE0vDftEimMCxLNuTP/JpSa1ZY9std0Ljkk9zBTAykkXrrmjUxvd938DMSOqAv/
+Pnib/Oq5cumROMXpPaRMjvhc56iyfEyluTntpJREN9KHvtll8TrGmDk/WW8sF87t
+jmr0hNSa4dFOTkUS+EODL6BPKg+MwGN6UL7L811qztErKtFCK77JGr+dq66fU1bV
+y9JHSPYvJ8dLAoIBAQCnSUWNzWwoeEo/jCdLNA1EYXe9ajsZJfeTlXma5r86HvrI
+duLRS7cju0f68+YG43oD8JIT/JEMHs3PxnOcQAjmG3zkU+UxO7yGnSac0l5l+vao
+dFxXAf5mNAoG9HAAo/CIY6TC8jnvAJycPGH7DPhys3fSJ/foy0vi0Ywopwy5x0jx
+U4zHTiKGyO1ZDh8bF1kgeGd/HdhJR0bZTxCeed4eXVM2pfq2k+t+E2O5NNs/f4fY
+O0PpHmW9EdY0hE7FqJ/9lpel/fRM4ijN2WOvHf+aXzB5MMkZm2L2ism56wGtiUWq
+ygCtBtJWHM2AbJGX54pH9+1TTdw4QS3wUKxpDMHHAoIBAAcs9ZISBlPWciDMGjqq
+9hQhyQA2U9j7EjUPA55wvMBnHFFjx9nlQWnH5WWyQv2MVIO3Z2+tmeqw1sqgh/G9
+TPFN9FaEgXScc4v+G5ohFhH2Ay2WUPnyMx/AeVj4ZBXGplT/NmOGJc7ZFmH4BfVW
+ArLme7KRH8eBlDSOpcJIvlAsQU6hxnYiuJUF18vHMTiOftd+RFrfQ06Ox/xr43e6
+zOvEwjb3zRcRnwCniv240laVq/FYf7b9xY6kA9wbXGJIsCcBQmYkbAvRt+60SBJb
+J5uuxGlp8BYH1GvWqxbvoZpQ8SMl0gq7OqSI8E+HKpLWIFhesDzpvNNXIJtQ3URf
+gLUCggEAa0SzoEaLut65B1mQuYaYXCvyXohRJn49BoHULUub/Zg2D+mPMJcyefBK
+o/FUZD8ewXUiEoj6eoEXHTT8eOSvhXQHp2dc6AW6rADzL4Ni0oSQ8LwT5fgGq7B7
+yxWXkSkK3T43RLvrb7FSV21WTcsXYH560LHa5me1S4Pb1Zrz8+KCRNdNcoffZMfi
+b09pdLkS7Sbiskg69NrOFmwfD8SdAb9opPLY5lLWEVtkaPwQS4MrboJJlDutV9VC
+/Ye8QbuMwKQHduhAGGsCpkEwZhO5T4owdebVeY28t80HsInv7mFuiqZbIN/BMnU7
+zvi/SKHNm+elLUD1r7tC3+KVTtqSSw==
+-----END PRIVATE KEY-----

test/static/invalid_saml_sha256_rsa_mgf1.xml

@@ -0,0 +1,94 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Destination="https://acs.example.com/" ID="_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" InResponseTo="inResponseTo" IssueInstant="2000-01-01T01:00:00Z" Version="2.0"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+<ds:SignedInfo>
+<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+<ds:SignatureMethod Algorithm="http://www.w3.org/2007/05/xmldsig-more#sha256-rsa-MGF1"/>
+<ds:Reference URI="">
+<ds:Transforms>
+<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+</ds:Transforms>
+<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+<ds:DigestValue>bA/90zzLS/36DstvPJRrMNwGax5WQv8NneSuNdLnMYs=</ds:DigestValue>
+</ds:Reference>
+</ds:SignedInfo>
+<ds:SignatureValue>
+0fK5rJEtj0+JIL3hAuDsEAuKYoiwHzZTgQgspLyEe+XQan1FzT+qu3GBJSpSDfArBHjHXtizVfi8
+irId6a1kOj6ShEw2ZSGYD8Dh2d0HmrHqlOqpZ5eLiWeFA6VTtW1Cqmvr+x4Ndxcg0wWmmGr4hpSD
+Yg8fkA8e32Fd2QxqLsQqVlCcuvJVCJ/12XSGcMW+Tse254fN6JENLLUdilu+14NNQKAHpKpjeajg
+jG3fn0VNvyVQXKi2deYTWYaLRujBgv3Ncz8t9Hjthk+XxrRVHJiGc6HyVvqdpi5ChM41fjB1+eBo
+NkZ0Q73ZSCbTAqVduUWqL5pQzINq16kUm2ovkg7h3JoqSQr5yhoBJXZEf6FEyYdCCLd3rlIrkcvD
++wfF2CwNRc6utgO/05JAA7Z1x2e0K6o2a6EQy93dkUIBhpxPYU/IdmGb15AfKJ3OrB1K/jTrxZ2q
+og/u0fJe0vU1sL4EDOXqVMj/unTZqDP/K1mOHK/eDWafs/IwMv65ebZUwTk74AMk/oOYV9mL8beY
+JAVYMN+xPA1cXnHlRgwATWLXjfiQcMXo44nhaw0YlOUGIoRLYURqHmXz0W3d8pXYdybLmdClkqLR
+vo1ryK1OC2paYG9qwk51QJ5wzMv6HRB5tDIL9/7mP7khlKgm4p+EZXFGYmvYDbk2x219SvxPmfY=
+</ds:SignatureValue>
+<ds:KeyInfo>
+<ds:KeyValue>
+<ds:RSAKeyValue>
+<ds:Modulus>
+16YEqKYde+lUD8PuHvdVAC+o9E2y/2iNwJo+tk1PdSjpOMYoMvvMRUnlNiAuuFu2m3xavtuSvtcm
+yZjAaveFCsimm+8nl5np9sSfT0+W6+E8J7G3gWa84l0kfLkxOtA3Vi2WCRAURILveiXhFi8z/9B3
+5xZZ7huZF5W+q6cu5e9t2Hg71PZb7JukY+OpuUfI+Aknpypi7B0iIZjT+fUrBKSdeg/kXynKyqsT
+8aerf6AhCl46ZjnhqF/Vk+VfVDMaxhYGNmC2m/bSwiCuPIuq4F6R1J2zKtl8gE+fG0hv04n/fYaI
+kNqL87FVK1XgmuP7lIP6a/sNW2ZyAZekfFlT01cIJmDfvFsNu2i4jZLAp+9Le+F2S6/cZ2J25499
+uAImafWePLwxApuNU3PlfXqhjTv+WC4GaqBk8uBJdwDHDRd5ZHnGdlGSjCN+NaSNbx8kRtIwq9mW
+Kct9KWECnfmewL2SjFEyRUHwSDp981zekgPJVmSzzluFU3Tn3Bo0Io9wFA3k3opVIoKUYJE5fe1l
+Kxn2rLy1zK3UaF2MYxj3vrOPrX/oJyoU1UOoesHviEmhVTnl6QqzlMGTNDnYpELSmIB9BvTqySsQ
+2Q5eGJJGBaqocsORLpvR2cDFPOt9ZZAUqjEYM/AF+ynQZ9T6xkusDqfhgtvC9SEnkcUa4lrWnl0=
+</ds:Modulus>
+<ds:Exponent>AQAB</ds:Exponent>
+</ds:RSAKeyValue>
+</ds:KeyValue>
+<ds:X509Data>
+<ds:X509Certificate>
+MIIFFzCCAv+gAwIBAgIUaAU88KUbZLe7NwTw+jdCHIDU6wIwDQYJKoZIhvcNAQELBQAwGjEYMBYG
+A1UEAwwPaWRwLmV4YW1wbGUuY29tMCAXDTI1MDkwODExMTUzMFoYDzIxMjUwODE1MTExNTMwWjAa
+MRgwFgYDVQQDDA9pZHAuZXhhbXBsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
+AQDXpgSoph176VQPw+4e91UAL6j0TbL/aI3Amj62TU91KOk4xigy+8xFSeU2IC64W7abfFq+25K+
+1ybJmMBq94UKyKab7yeXmen2xJ9PT5br4TwnsbeBZrziXSR8uTE60DdWLZYJEBREgu96JeEWLzP/
+0HfnFlnuG5kXlb6rpy7l723YeDvU9lvsm6Rj46m5R8j4CSenKmLsHSIhmNP59SsEpJ16D+RfKcrK
+qxPxp6t/oCEKXjpmOeGoX9WT5V9UMxrGFgY2YLab9tLCIK48i6rgXpHUnbMq2XyAT58bSG/Tif99
+hoiQ2ovzsVUrVeCa4/uUg/pr+w1bZnIBl6R8WVPTVwgmYN+8Ww27aLiNksCn70t74XZLr9xnYnbn
+j324AiZp9Z48vDECm41Tc+V9eqGNO/5YLgZqoGTy4El3AMcNF3lkecZ2UZKMI341pI1vHyRG0jCr
+2ZYpy30pYQKd+Z7AvZKMUTJFQfBIOn3zXN6SA8lWZLPOW4VTdOfcGjQij3AUDeTeilUigpRgkTl9
+7WUrGfasvLXMrdRoXYxjGPe+s4+tf+gnKhTVQ6h6we+ISaFVOeXpCrOUwZM0OdikQtKYgH0G9OrJ
+KxDZDl4YkkYFqqhyw5Eum9HZwMU8631lkBSqMRgz8AX7KdBn1PrGS6wOp+GC28L1ISeRxRriWtae
+XQIDAQABo1MwUTAdBgNVHQ4EFgQULRbUCREu3zQABqNW8LMOfraF5BMwHwYDVR0jBBgwFoAULRbU
+CREu3zQABqNW8LMOfraF5BMwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAA6Jm
+3pll7XHBY/oXrtRAu60RpH4pcZBSf68zhCQKUnXALy2FWrUGU8uVCJJuxXIcxszTOCZmwVF12Yce
+IFpBrWHxKCDZWYDO6hrwZvsa2vh5mXDZo3c/HX6GmJR4f4oIIZnbxFhXR30419PlrwMW3Rk7rnVS
+Dz/HpQfdS4y8jYgsm2dIRo+PXQytFRCDj4afsT3eZa27QjFxLTuK+SwkhupSH1WWYmqL9+iIJiLL
+/ntfM4MwtOUwcfqI0ttbvFZZIPneBCuEDLn/zJ/QBV3ZvjQDt53W21HaPGPHBBfVZVroZPvuGvul
+WRLeECI1Hmbl3al/2aOC0LWzPIk8dlTcN+EWcCEufpTOEgkob8waEyxlX0Z5OBjkCHpyDTPGkxBB
+OCJv88Frx7qdbu8eSV0OviuaM/B7ky2NbDMKIybX4tf/Q8FNfjPLvTv+8nbrMz6kTno3RR2YC7tt
+I7Glb/eOg3F/ouF4wcoPAj+OyU5Q5WJMMaZ9cXF9pwszsglLbFms+WD5PFxlloh6I1hO7TccWKTe
+UJ5fYZSYYm31JqWit3DBltXTyRyL7KFSdT/FyRBk62YLCJqJmcukIUJUTya73/RmjW1M4zMBNaIj
+/pH77opKWnVbm9F4XnBCG4r9+FRXdV2zKW6DgvDzQ6DaZ+0cwC36vSqkDyjZYv/tviuWfM8=
+</ds:X509Certificate>
+</ds:X509Data>
+</ds:KeyInfo>
+</ds:Signature>
+    <saml:Issuer>https://idp.example.com/</saml:Issuer>
+    <samlp:Status>
+        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+    </samlp:Status>
+    <saml:Assertion xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_bbbbbbbbbbbbbbbbbbbbbbbb" IssueInstant="2000-01-01T01:00:00Z" Version="2.0">
+        <saml:Issuer>https://idp.example.com/</saml:Issuer>
+        <saml:Subject>
+            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" SPNameQualifier="audience">modifiedFakeNameId</saml:NameID>
+            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+                <saml:SubjectConfirmationData InResponseTo="inResponseTo" NotOnOrAfter="3000-01-01T01:00:00Z" Recipient="https://acs.example.com/"/>
+            </saml:SubjectConfirmation>
+        </saml:Subject>
+        <saml:Conditions NotBefore="2000-01-01T01:00:00Z" NotOnOrAfter="3000-01-01T01:00:00Z">
+            <saml:AudienceRestriction>
+                <saml:Audience>audience</saml:Audience>
+            </saml:AudienceRestriction>
+        </saml:Conditions>
+        <saml:AuthnStatement AuthnInstant="2000-01-01T01:00:00Z" SessionIndex="42" SessionNotOnOrAfter="3000-01-01T01:00:00Z">
+            <saml:AuthnContext>
+                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
+            </saml:AuthnContext>
+        </saml:AuthnStatement>
+    </saml:Assertion>
+</samlp:Response>

test/static/unsigned_saml_response.xml

@@ -0,0 +1,46 @@
+<samlp:Response
+    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
+    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+    ID="_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+    Version="2.0"
+    IssueInstant="2000-01-01T01:00:00Z"
+    Destination="https://acs.example.com/"
+    InResponseTo="inResponseTo">
+    <saml:Issuer>https://idp.example.com/</saml:Issuer>
+    <samlp:Status>
+        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
+    </samlp:Status>
+    <saml:Assertion
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xmlns:xs="http://www.w3.org/2001/XMLSchema"
+        ID="_bbbbbbbbbbbbbbbbbbbbbbbb"
+        Version="2.0" IssueInstant="2000-01-01T01:00:00Z">
+        <saml:Issuer>https://idp.example.com/</saml:Issuer>
+        <saml:Subject>
+            <saml:NameID
+                SPNameQualifier="audience"
+                Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">nameId</saml:NameID>
+            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
+                <saml:SubjectConfirmationData
+                    NotOnOrAfter="3000-01-01T01:00:00Z"
+                    Recipient="https://acs.example.com/"
+                    InResponseTo="inResponseTo"/>
+            </saml:SubjectConfirmation>
+        </saml:Subject>
+        <saml:Conditions
+            NotBefore="2000-01-01T01:00:00Z"
+            NotOnOrAfter="3000-01-01T01:00:00Z">
+            <saml:AudienceRestriction>
+                <saml:Audience>audience</saml:Audience>
+            </saml:AudienceRestriction>
+        </saml:Conditions>
+        <saml:AuthnStatement
+            AuthnInstant="2000-01-01T01:00:00Z"
+            SessionNotOnOrAfter="3000-01-01T01:00:00Z"
+            SessionIndex="42">
+            <saml:AuthnContext>
+                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
+            </saml:AuthnContext>
+        </saml:AuthnStatement>
+    </saml:Assertion>
+</samlp:Response>